Using Sonar for Identification

An interesting article appeared in TechXplore last week that discussed the use of new technology called “VoiceGesture” that combines sonar with voice biometrics. This clever technology was developed by a research team from Florida State University in Tallahassee to introduce liveness testing to help detect recorded playback attacks (“spoofing”).

Some voice biometric systems have been bypassed fraudulently by using recorded speech samples. And, with the proliferation and availability of speech samples on the Internet and social media sites, and emerging AI-based speech synthesis technologies such as Lyrebird, this research is both timely and relevant. Click here for the complete article.

Voice biometric fraud committed with voice recordings or speech synthesis is a valid concern. But, no one should be ready to discard voice biometric technology! For now this is the latest battle in the on-going war with fraudsters. Companies develop security technologies, hackers and fraudsters figure out how to defeat them, companies then develop counter-measures, hackers and fraudsters then develop counter-counter-measures, and so on. This is an unfortunate fact of corporate life for VBG scientists -- and all other security technology companies for that matter.

Two follow-up points come to mind when reading this article: (1) the VoiceGesture approach has dependencies which may limit its widespread adoption, and (2) the susceptibility of voice biometrics to recorded playback attacks and speech synthesis continues to hammer home the need for multi-factor authentication (MFA). Each of these points is explored further.

Relative to dependencies, VoiceGesture requires the generation of a specific tone (frequency) and requires proximity of the device to the mouth. In the real world, it is likely that the tone will be interfered with by similar frequencies or noises, and the proper proximity of device to mouth will likely not always be maintained. If you need to use both hands and enter speakerphone mode – or rest the phone between your cheek and shoulder – what happens then?

Also, the device used with VoiceGesture is presumed to be a mobile phone, which is yet another dependency. At VBG, we have application speech being sourced from many other devices, such as: Amazon Alexa, corporate VOIP phones, WebRTC, and even medical and IoT devices. It’s unclear whether this sonar-based technology can be applied to these scenarios – which may limit widespread adoption. Regardless, the research team should be applauded for developing this novel technology, and there are MANY viable use cases involving mobile phones, so we wish them well.

The other subtle point here is their use of MFA. The research team has combined something you have (mobile phone), with something you are (voice biometric), and sonar (another biometric variant). These are all considered security “factors”.

VBG has long advocated the use of MFA (see our guide here) due to the very fact that no one security factor is 100% fool-proof when used by itself. Should one factor fail or be bypassed, another two or three factors are there to help protect you.

Another final point about MFA is worth mentioning as well. Many research articles talk about security factors being compromised – but they are typically looking at one factor in a vacuum and fail to mention the high degree of cooperation or collusion that is implied. How likely is it that a fraudster will have access to your mobile phone, will know the answers to your secret questions, and will be able to defeat your voice biometric, fingerprint, or other biometric factor? The answer is: “highly unlikely”.